Note: Story updated on April 17 to reflect second dump of Shadowbrokers files.
The ShadowBrokers hacking group made two more splashes this month, resulting in both a ripple and a wave.
Firstly, it released the password for the archive of NSA hacking tools that it originally tried to sell off last August, causing a collective ‘meh’ from the Internet. Then, it dropped another set of files that placed large numbers of Windows machines in danger, leaving some to call the tools ‘god mode’ for Internet-connected Microsoft boxes. Let’s take them in order.
We still don’t know too much about this shady group – or individual – other than that it dropped a bombshell on the intelligence community last year, publishing a teaser document with some free files to hacking tools stolen from the NSA’s Equation Group intrusion project, and offering to auction the rest.
Some suggested that the group may be linked to Russia, and that the release of the tools was a message for the US administration, which at the time was incensed by allegations of Russian involvement in the DNC hack.
In October, the ShadowBrokers followed up with a list of IPs linked to Equation Group missions, and a reported further attempt to sell the files directly on the dark web.
The disadvantage of using a bitcoin address when trying to sell off illicit material is that everyone gets to see how poorly you did. Whoever they are, the ShadowBrokers have repeatedly said that they’re in it for the money. If so, their attempt to enter the world of high-end cybercrime didn’t go too well.
So in January, irked by the failure of their auction, they announced their retirement, and in the process dropped 58 Windows tools that they found were detected by Kaspersky.
…”and another thing”
Now, the ShadowBrokers made the worst mistake that anyone flouncing out of a room and slamming the door could have done. They came back. This time, they posted the password to the entire set of NSA tools, along with a long, rambling political diatribe criticizing Donald Trump for not being Trumpy enough and sticking to his original plan.
So, now that they’ve spilled the beans, we can get a look inside Pandora’s box. What exactly were they trying to sell?
Nothing very useful, as it turns out.
They promised a lot. From a message in mid-October:
“TheShadowBrokers is having more EquationGroup tool kits for other platforms Windows, Unix/Linux, Routers, Databases, Mobile, Telecom. Newer revisions too. The auction file is toolkit for one of other platforms. Includes remote exploits, local exploits/privilege escalations, persistence mechanisms, RATs, LPs, post-exploit collection utilities. Value estimated in millions of euros/dollars.”
In reality, the contents of the password-protected file were underwhelming, says Cris Thomas (aka Space Rogue), strategist at Tenable Network Security. As a member of L0pht, Thomas knows a thing or two about exploit efficacy.
“The encrypted data dump released by the ShadowBrokers isn’t new or nearly as damaging as previous leaks,” he sniffs.
“The exploits included in this latest batch of information have either already been patched or are relatively old and impact esoteric platforms,” he continues. “The more impactful data are things like cryptographic keys and what appear to be logs from breached servers.”
Ed Snowden, who keynoted at SecTor’s 10th annual conference in 2016, agrees. He initially tweeted that the NSA had lost control of its arsenal of top secret weapons, but subsequently said that it was far from the full set. What was more interesting, he said, was a list of allied infrastructure unlawfully hacked by the NSA:
It hasn’t been reported by anyone yet as far as I’ve seen, but aside from the leak itself, it may be the most newsworthy thing in there. https://t.co/ZxWXlTMto2
— Edward Snowden (@Snowden) April 9, 2017
The attack tools revealed in the haul target older systems, including some older Linux distros. But one juicy tidbit was an attack for Solaris, which experts have confirmed works on version 10 and below, and possibly on the latest version, 11.
This is probably the most damaging tool among the previously unreleased ones. The Solaris hacking tools enable an attacker to get root access on any Solaris system in the world, with little technical knowledge, said one UK hacking expert who has examined the files.
That’s all very well, said Thomas, but let’s put it in perspective.
“While the remote root for Solaris is a serious threat to those still running the operating system, it doesn’t impact that many people,” he said, adding that Oracle shipped the last version of Solaris back in October 2015. He also points to a W3Techs web technology survey showing fewer than 0.1 percent of web servers running Solaris.
“Although there are probably a few additional servers that may not be reachable from the web, there aren’t many,” he advises.
Any root escalation attack on an existing operating system is a relatively big deal, but given the penetration of Solaris, it certainly won’t be the next Heartbleed. ShadowBrokers seems to have leaked the good stuff first and left far less relevant material locked up in its password-protected archive.
Another, more dangerous drop
The second file drop, which came on Good Friday, saw a collection of NSA hacking tools aimed at Windows boxes. These tools also dated back to 2013, meaning that they don’t affect Windows 10 boxes, according to experts. Nevertheless, they can hit desktop versions up to Windows 8, along with multiple server versions.
The tools included code with explicit references to Stuxnet, along with a tool called FUZZBUNCH – a hacking suite that contains several plug and play exploits. Security experts called it ‘Metasploit but with zero days’. As it turns out, the severity of the drop may have been overblown; Microsoft explained that it has already patched most of these exploits, and that the three unpatched ones don’t work on supported systems, meaning that anyone running Windows 7, Exchange 2010 or more recent versions therefore don’t have to worry.
Echoing the first April drop, the more significant findings from the latest files may not be the hacking tools, so much as the evidence of NSA hacks. The files included references to a hack of the SWIFT currency transfer network.
Whether the ShadowBrokers was a Russian hacking operation or an independent group, it seems that its secrets are finally spent. Experts have suggested that the tools they stole were pre-Snowden era, given that they date back to mid-2013 and no later.
If previous activity is anything to go by, we haven’t seen the last of this group. Their most recent message says: “Maybe if all suviving WWIII theshadowbrokers be seeing you next week. Who knows what we having next time?”
One thing’s for sure: patching your systems is more important these days than ever before.